When writing Servlet and JSP, thread security issues are easily ignored. If you ignore this problem, your program has potential hidden dangers.
1. Servlet's lifecycle Servlet is responsible for the web container. When the client requests servlet, the container is responsible for initializing the servlet, which is instantiated this servlet class. This instance is responsible for the client's request, general There will be no other servlet class, that is, multiple threads are using this instance. SERVLET is higher than CGI efficiency because servlet is multithreaded. If the servlet is declared as a single-threaded model, the container will maintain An instance pool, then there will be multiple instances.
2. Servlet's Thread Secure Servlet specification has declared that servlet is not a thread, so you have to note this problem when developing servlets. Here, you will explain the problem with a real model, first define a servlet class, then define a smulatemultithread class and WebContainer class .import javax.servlet.http.HttpServlet; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException;
// This class analog multi-thvlet case PUBLIC CLASS SmulateMultithread Implements Runnable {public smaratultithread () {} public static void main (String [] args) {// Process 100 request for (int i = 0; i <100; i ) {new Thread (new SmulateMultiThread ()) start ();.}} public void run () {HttpServletRequest request = null; HttpServletResponse response = null; try {WebContainer.getServlet () doGet (request, response);.} catch (IOException ex) {} catch (ServletException ex) {}}} // this is the Servlet class class UnsafeServlet extends HttpServlet {private String unsafe; public void init () throws ServletException {} // Process the HTTP Get request public void doGet (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {unsafe = Thread.currentThread () getName ();. System.out.println (unsafe);}} // this class is a container class WebContainer {private static UnsafeServlet us = New unsafeservlet (); public static unsafeservlet getServlet () {return us;}} output 100 different threads Name, if there is 100 requests to be processed by this servlet, then unsafe may have 100 devotations, and finally the client will get the wrong value. For example, the client 1 request thread name is Thread-1, but return to him May be thread-20. In reality, the user name I logged in is User1. After logging in, it becomes user2. So how can I be a servlet security, any multiple threads can share, do not use (instance variable class Variables), it is as simple as it can also use the synchronized synchronization method, but this is not high, and a single-threaded model can also be used. This kind of efficiency is lower, and 100 instances will be instantified when 100 requests come. The temporary variable in the method does not affect the thread security, because they are allocated on the stack, and each thread has their own private stack space. 3. The essence of thread security JSP in JSP is servlet, all as long as you understand SERVLET security issues, JSP security issues should be easy to understand. Use <%!%> Declared variables to servlet instance variables, not thread secure, others are threads safe. <%! String unsafevar;%> / / Is not the <% String Safevar;%> // thread security
Summary: Thread security issues are mainly caused by instance variables, regardless of the instance variables in Struts or JSP, or do not use instance variables, your program is thread safe.
